The effects of changes in European legislation on external and internal auditing

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Corporate governance and control nowadays is receiving more notice than ever before as evidenced by the recent financial crisis with e.g. banking asset valuation, corporate collapses such as Enron in the USA and lack of internal controls within Siemens AG and Volkswagen AG in Germany. This paper will concentrate on corporate governance and control -outside the banking sector, which is highly regulated already-, starting with the legal basis and audit requirements given externally and followed by the internal implementation of rules such as audit committees and internal audit departments. Last, an assessment and outlook will be made on future trends in corporate governance and auditing.


The current financial crisis led to a loud outcry for more governance in politics and corporations. Corporate governance is in the spotlight for the banking sector where a heated discussion is going on about the fair value of troubled assets. In industry, corporate governance and one of its components -risk management- is questioned because the crisis has led to e.g. fewer contracts for many companies at an almost unchanged cost level resulting in many companies going out of business which implies that this macro risk was not adequately provided for.

One could argue that perhaps corporate risk management systems have failed, but even many good risk management systems would not have foreseen or included the week-long downtime of (air) traffic in Europe caused by the recent eruption of the Icelandic volcano and its effects on global business. [1] 

These failures lead to the question of why some corporate risks where only inadequately addressed in the past and who would best be in a position to assess the risk management system and evaluation? Legislation is in place in Europe (and the USA) stating the requirements of corporate risk management and also naming institutions responsible for auditing this.

External auditors, however, in recent years themselves have been under scrutiny after spectacular company scandals namely at Enron, WorldCom and Parmalat. [2] The collapse of the U.S. bank Lehman Brothers at the beginning of the current crisis prompted discussions on the role and capability of external auditors, even involving the European Commission in the matter. "Jeremy Newman, head of BDO International, one of the world's largest six accounting groups, says this "renewed scrutiny" is also bound to revive those earlier debates on what users can expect from an audit. We need to recognize that the nature of business has changed. It is quicker, more connected and more global and very different to the nature of business in the last century and it is right to ask if audit has kept pace with this change. The answer may be 'yes' or 'no' but it is a valid question to ask." [3] 

This is one question that this paper will attempt to answer by explaining the roles of external auditors as given by the relevant legislation and business practices. More importantly, the main focus will lie on the other major control function found in larger multinational corporations: internal audit. What is its role in corporate governance and risk management, what should it be and which trends are visible for future development?

In larger corporations, risk management and the internal control system are evaluated by the Internal Audit department and in cooperation also by the external auditor mandated by the relevant legislation. In Germany, legislation on a top level is given by the European Union, which has become more and more important since 2005 with the mandatory introduction of International Financial Reporting Standards (IFRS) for listed companies, although initial legislation dates back to 1985. [4] 

The most recent legislation is the Gesetz zur Modernisierung des Bilanzrechts (Bilanzrechtsmodernisierungsgesetz - BilMoG) introduced in May 2009 with a wide range of implications for German companies, e.g. the mandatory implementation of an Audit Committee coordinating -amongst other things- the work of external and internal auditors.

Analyzing this relationship between these auditors and their roles is the main purpose of this paper, highlighting their functions in a risk management system based on e.g. corporate governance as mandated by the Deutsche Corporate Government Kodex but also showing possible conflicts of interest and solutions to this problem.

In the conclusion, possible future audit trends will be discussed as they may need to be developed to deal with crises in a globalized business world.

Definitions / History

Agency Problem

The agency problem is best defined as the conflict between company managers and shareholder interests in business decisions. For example, a decision to establish a subsidiary in one location versus another may be based on the locations appeal to a particular manager rather than on its potential benefits to shareholders.

In some respects it is assuring to note that the US company Enron's demise (the most recent major case of corporate misbehavior where shareholders' wealth was being sacrificed for managerial rewards) involved misleading shareholders by false accounting and deception. If there had been a more honest disclosure of information, as is required, the abuses would most likely not have taken place. [5] 

This and other major corporate demises led to significant mistrust in corporate governance and investors confidence in the financial markets was significantly reduced.

The lesson to be learnt from the scandal is that relevant information must be disclosed to the market. Legislation (in the US, the Sarbanes-Oxley Act of 2002), an active financial press and improved accounting regulations help shareholders make informed decisions.

In addition, internal controls in a corporation must assure that the financial statements are free of material error. External or statutory auditors certify accounts and assess internal controls as will be shown later. Internal auditors employed by the corporation similarly assess controls placed by management in the business processes.

Internal Auditing

Internal auditors at best are seen as "bean counters" in a company, in the worst case as the internal "policeman watchdog." Yes, auditing for fraudulent activity is a part of the internal audit function, so this general perception is not completely incorrect. However, auditing is multi-faceted and not limited to finding irregularities or the pure review of corporate financial statements and underlying processes.

The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting and public accounting professions. [6] 

With the implementation in the United States of the Sarbanes-Oxley Act of 2002, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law.

Audits are performed to ascertain the validity and reliability of information in general by providing an assessment of the internal control system of a corporation. The goal of an audit is to express an educated opinion on the organization or system under evaluation based on audit work done on a test basis. Due to practical constraints, an audit seeks to provide only reasonable assurance that the statements are free from material error. Therefore, statistical sampling is often used in audits vs. full testing.

In the case of financial audits, a set of financial statements are said to be true and fair when they are free of material misstatements - a concept influenced by both quantitative and qualitative factors.

Audit can be considered a vital part of accounting. Traditionally, audits were mainly associated with gaining information about financial systems and the financial records of a company or a business. However, recent auditing has begun to include other information about the system, such as information security risks, information systems performance (beyond financial systems) and environmental performance. As a result, there are now professions conducting security audits, IS audits and environmental audits.

In Cost Accounting, audits verify the cost of manufacture or production of any article on the basis of accounts in regards to utilization of material, labor or other cost items.

The difference between audits and assessments can be considerable or can be nothing at all. Audits should always be an independent evaluation that will include some degree of quantitative and qualitative analysis whereas an assessment infers a less independent and more consultative approach. As will be shown later this is one of the conflicts for modern internal auditors to distinguish between the auditor and consulting role.

Internal auditors are employed by the organization they audit. Internal auditors perform various audit procedures, primarily related to procedures over the effectiveness of the company's internal controls over financial reporting. Due to the requirement of Section 404 of the Sarbanes Oxley Act of 2002 [7] for management to also assess the effectiveness of their internal controls over financial reporting (as also required of the external auditor), internal auditors are utilized to make this assessment. This is a very recent area in which the responsibilities of external and internal auditors collide.

Though internal auditors are not considered independent of the company they perform audit procedures for, internal auditors of publicly-traded companies are required to report directly to the board of directors, or a sub-committee of the board of directors, and not to management, so to reduce the risk that internal auditors will be pressured to produce favorable assessments.

The scope of internal auditing within an organization is broad and may involve topics such as the efficiency of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations.

Internal auditing frequently involves measuring compliance with the entity's policies and procedures. However, internal auditors are not responsible for the execution of company activities; they advise management and the Board of Directors (or similar oversight body) regarding how to better execute their responsibilities. As a result of their broad scope of involvement, internal auditors may have a variety of higher educational and professional backgrounds. [8] 

Publicly-traded corporations typically have an internal auditing department, led by a Chief Audit Executive ("CAE") who generally reports to the Audit Committee of the Board of Directors, with administrative reporting to the Chief Executive Officer.

The profession is unregulated, though there are a number of international standard setting bodies, an example of which is the Institute of Internal Auditors ("IIA"). The IIA has established Standards for the Professional Practice of Internal Auditing and has over 150,000 members representing 165 countries, including approximately 65,000 Certified Internal Auditors. The German pendant is the Deutsches Institut für Interne Revision which is a member of the IIA and has adopted the IIA professional standards. [9] 

Internal Audit Work

Based on a risk assessment of the organization, internal auditors, management and oversight Boards determine where to focus internal auditing efforts. Internal auditing activity is generally conducted as one or more discrete projects. A typical internal audit project involves the following steps:

Establish and communicate the scope and objectives for the audit to appropriate management.

Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary.

Describe the key risks facing the business activities within the scope of the audit.

Identify control procedures used to ensure each key risk and transaction type is properly controlled and monitored.

Develop and execute a risk-based sampling and testing approach to determine whether the most important controls are operating as intended.

Report problems identified and negotiate action plans with management to address the problems.

Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose. [10] 

Project length varies based on the complexity of the activity being audited and Internal Audit resources available. By analyzing and recommending business improvements in critical areas, auditors help the organization meet its objectives.

Auditor Independence

To perform their role effectively, internal auditors require organizational independence from management, to enable unrestricted evaluation of management activities and personnel. Although internal auditors are part of company management and paid by the company, the primary customer of internal audit activity is the entity charged with oversight of management's activities. This is typically the Audit Committee, a sub-committee of the Board of Directors. To provide independence, most Chief Audit Executives report to the Chairperson of the Audit Committee and can only be replaced with the concurrence of that individual. [11] 

According to the Institute of Internal Auditors, the Internal Auditor's obligation of independence refers to:

The reporting line or status of the CAE: The Chief Audit Executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The CAE must confirm to the board, at least annually, the organizational independence of the internal audit activity.

Attitude of auditors, procedures of the internal audit department: The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.

Communication right: The chief audit executive must communicate and interact directly with the Board of Directors. [12] 

Auditor Role in Internal Control

Internal auditing activity is primarily directed at improving internal control in an organization. Under the COSO Framework [13] , internal control is broadly defined as a process, initiated by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following internal control categories:

Effectiveness and efficiency of operations.

Reliability of financial reporting.

Compliance with laws and regulations.

Management is responsible for implementing and monitoring internal controls. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. Internal auditors perform audits to evaluate whether the policies and processes are designed and operating effectively and provide recommendations for improvement. [14] 

Auditor Role in Risk Management

Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's risk management processes. Risk management relates to how an organization sets objectives, then identifies, analyzes and responds to those risks that could potentially impact its ability to realize its objectives. [15] 

Under the COSO enterprise risk management (ERM) Framework, risks fall under strategic, operational, financial reporting, and legal/regulatory categories. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, marketing planning, capital planning and budgeting.

Internal auditors may evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, to help identify emerging risks internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board.

In larger organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose.

Internal auditors may help companies establish and maintain Enterprise Risk Management processes. Internal auditors also play an important role in helping companies execute a SOX 404 top-down risk assessment. Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting processes. In these latter two areas, internal auditors typically are part of the project team in an advisory role.

Auditor Role in Corporate Governance

Internal auditing activity as it relates to corporate governance is generally informal, accomplished primarily through participation in meetings and discussions with members of the Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the Board of Directors to inform, direct, manage, and monitor the organization's resources, strategies and policies towards the achievement of the organizations objectives. The internal auditor is often considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditor.

A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the Board of Directors (or equivalent) perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee's meeting agendas and coordinating carefully with the external auditor and management to ensure the Committee receives effective information.

External Auditing

An external auditor is an audit professional who performs an audit on the financial statements of a company, government, individual, or any other legal entity or organization, and who is independent of the entity being audited. Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent evaluation on such entities.

They are distinguished from internal auditors for two main reasons:

(1) the internal auditor's primary responsibility is appraising an entity's risk management strategy and practices, management (including IT) control frameworks and governance processes, and

(2) they do not express an opinion on the entity's financial statements.

In addition to providing audit services, external auditors also provide different other kind of services. Most common of them are reviews of financial statements and compilation. In review auditors are generally required to tick and tie numbers to general ledger and make inquiries of management. In compilation auditors are required to take a look at financial statement to make sure they are free of obvious misstatements and errors.

The primary role of external auditors is to express an opinion on whether an entity's financial statements are free of material misstatements.

The independence of external auditors is crucial to a correct and thorough appraisal of an entity's financial controls and statements. Any relationship between the external auditors and the entity, other than retention for the audit itself, must be disclosed in the external auditor's reports. These rules also prohibit the auditor from owning a stake in public clients and severely limits the types of non-audit services they can provide.

Risk Management


The implementation of a Risk Management system for many German companies is mandated by the KonTraG. However, the law does not define what exactly risk and risk management is. The board is only obligated to implement a monitoring system that ensures that risks affecting the continuance or survival of the company are adequately addressed.

The International Standards Organization (ISO), which in companies is well known for its standard ISO 9000 for quality management defines risk in its standard 31000 as the effect of uncertainty on objectives, whether positive or negative. Risk management starts with the identification, assessment and prioritization of risks followed by use of company resources to monitor, minimize and control the probability and impact of unfavorable events. ISO is very broad in its definition stating that risks can come from uncertainty in financial markets, project failures, legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attacks from an adversary. [16] 

The strategies to manage risk include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk and accepting some or all of the consequences of a particular risk.

The International Organization for Standardization identifies the following principles of risk management:

create value.

be an integral part of organizational processes.

be part of decision making.

explicitly address uncertainty.

be systematic and structured.

be based on the best available information.

be tailored.

take into account human factors.

be transparent and inclusive.

be dynamic, iterative and responsive to change.

be capable of continual improvement and enhancement.


Once risks have been identified, they must then be assessed as to their potential severity of loss and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring, e.g. the aforementioned eruption of a volcano. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan.

The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. This is where internal audit can provide management with the necessary information.

Nevertheless, risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is:

Rate of occurrence multiplied by the impact of the event equals risk.

Continuing Review of the Risk Management System

Initial risk management plans will never be perfect. Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.

Risk analysis results and management plans should be updated periodically. There are two primary reasons for this:

to evaluate whether the previously selected security controls are still applicable and effective, and

to evaluate the possible risk level changes in the business environment. For example, information risks are a good example of rapidly changing business environment.

The following diagram summarizes the risk management system and process:

Corporate Governance


Corporate governance is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. Corporate governance also includes the relationships among the many stakeholders involved and the goals for which the corporation is governed. The principal stakeholders are the shareholders, management, and the board of directors. Other stakeholders include employees, customers, creditors, suppliers, regulators, and the community at large.

Corporate governance is a multi-faceted subject. An important theme of corporate governance is to ensure the accountability of certain individuals in an organization through mechanisms that try to reduce or eliminate the principal-agent problem. A related but separate thread of discussions focuses on the impact of a corporate governance system in economic efficiency, with a strong emphasis on shareholders' welfare. There are yet other aspects to the corporate governance subject, such as the stakeholder view and the corporate governance models around the world.

There has been renewed interest in the corporate governance practices of modern corporations since 2001, particularly due to the high-profile collapses of a number of large U.S. firms such as Enron Corporation and MCI Inc. (formerly WorldCom). In 2002, the U.S. federal government passed the Sarbanes-Oxley Act, intending to restore public confidence in corporate governance.

Parties involved in corporate governance include the regulatory body (e.g. the Chief Executive Officer, the board of directors, management, shareholders and Auditors). Other stakeholders who take part include suppliers, employees, creditors, customers and the community at large.


Key elements of good corporate governance principles include honesty, trust and integrity, openness, performance orientation, responsibility and accountability, mutual respect, and commitment to the organization.

Of importance is how directors and management develop a model of governance that aligns the values of the corporate participants and then evaluate this model periodically for its effectiveness. In particular, senior executives should conduct themselves honestly and ethically, especially concerning actual or apparent conflicts of interest, and disclosure in financial reports.

Commonly accepted principles of corporate governance include:

Rights and equitable treatment of shareholders: Organizations should respect the rights of shareholders and help shareholders to exercise those rights. They can help shareholders exercise their rights by effectively communicating information that is understandable and accessible and encouraging shareholders to participate in general meetings.

Interests of other stakeholders: Organizations should recognize that they have legal and other obligations to all legitimate stakeholders.

Role and responsibilities of the board: The board needs a range of skills and understanding to be able to deal with various business issues and have the ability to review and challenge management performance. It needs to be of sufficient size and have an appropriate level of commitment to fulfill its responsibilities and duties. There are issues about the appropriate mix of executive and non-executive directors.

Integrity and ethical behaviour: Ethical and responsible decision making is not only important for public relations, but it is also a necessary element in risk management and avoiding lawsuits. Organizations should develop a code of conduct for their directors and executives that promotes ethical and responsible decision making. It is important to understand, though, that reliance by a company on the integrity and ethics of individuals is bound to eventual failure. Because of this, many organizations establish Compliance and Ethics Programs to minimize the risk that the firm steps outside of ethical and legal boundaries.

Disclosure and transparency: Organizations should clarify and make publicly known the roles and responsibilities of board and management to provide shareholders with a level of accountability. They should also implement procedures to independently verify and safeguard the integrity of the company's financial reporting. Disclosure of material matters concerning the organization should be timely and balanced to ensure that all investors have access to clear, factual information.

Issues involving corporate governance principles include:

internal controls and internal auditors

the independence of the entity's external auditors and the quality of their audits

oversight and management of risk

oversight of the preparation of the entity's financial statements

review of the compensation arrangements for the chief executive officer and other senior executives

the resources made available to directors in carrying out their duties

the way in which individuals are nominated for positions on the board

dividend policy

Nevertheless "corporate governance," despite some feeble attempts from various quarters, remains an ambiguous and often misunderstood phrase. For quite some time it was confined only to corporate management. That is not so. It is something much broader, for it must include a fair, efficient and transparent administration and strive to meet certain well defined, written objectives. Corporate governance must go well beyond law.

Internal Control

In 1992, COSO published Internal Control - Integrated Framework, a multi-volume report that establishes a common definition of internal control and provides a standard by which organizations can assess and improve their control systems.

COSO defines internal control as a process, effected by an entity's board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

Internal control is a process. It is a means to an end, not an end in itself.

Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.

Internal control can provide only reasonable assurance, not absolute assurance, to an entity's management and board.

Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. [17] 

Relevant legislation / Professional Standards

Introduction Accounting Scandals (e.g. Enron, Siemens)

European Legislation

In the European Union (EU), directives of the council are supernatural law, i.e. the principles laid out in the directive must be transformed / adopted into local national law. However, the EU with this process guarantees that certain minimum standards will exist in all member states. In the context of this paper the 4th, 7th and 8th EU directives influence corporate accounting and auditing.

4. EU-Directive (Annual Accounts of Limited Companies)

Since mostly public limited companies have internal audit departments, the regulations on accounts is important.

"This directive applies to all limited companies, except that Member States may exempt banks, other financial institutions and insurance companies. They also apply to certain types of partnerships.

The annual accounts are to comprise a balance sheet, a profit and loss account and the notes to the accounts. These documents constitute a composite whole. The Directives lay down the principles which govern the drawing up of these documents.

The balance sheet: the Directives provide for two balance sheet layouts, leaving it to the Member States to choose. It then lists the balance sheet items and comments on them.

The profit and loss account: several layouts are proposed from which Member States are free to choose. The Directives provide a commentary on certain items here too.

The Directives state general principles for the valuation of items in the annual accounts, such as prudence, consistency in the application of the methods of valuation, etc. They also set out specific valuation rules.

The Directives list the information which must be provided in the notes to the accounts: the valuation methods applied to the various items, undertakings in which the company holds a certain percentage of the capital, certain types of the company's debts, financial commitments not included in the balance sheet, etc.

The annual report must include a fair review of the development of the company's business and of its position. It must also provide information on any important events that have occurred since the end of the financial year, the company's likely future development and activities in the field of research and development.

The Directives lay down certain rules on publication (documents which must be published, etc.).

Lastly, the Directives provide for a system of auditing under which companies must have their annual accounts audited by one or more persons authorized by national law to audit accounts. Such a person or persons must also verify that the annual report is consistent with the annual accounts for the same financial year.

Less strict rules are laid down for small and medium-sized companies. Member States may lighten their obligations in respect of the publication of annual accounts or dispense small companies from the requirement that the annual accounts be audited.

"Small" companies are companies which, on their balance sheet dates, do not exceed the limits of two of the following three criteria:

balance sheet total: EUR 4 400 000;

net turnover: EUR 8 800 000;

number of employees: 50.

The corresponding figures for "medium-sized" companies are:

balance sheet total: EUR 17 500 000;

net turnover: EUR 35 000 000;

number of employees: 250." [18] 

Most of the regulations listed above are reflected in the IFRS standards, which since 2005 most European listed companies use for their accounts. IFRS standards become European law when the European Commission adopts them.

8. EU-Directive (Auditor Independence)

The 8th EU Directive is the grounds for the provisions in the BilMoG. It states in summary:

"Persons responsible for carrying out audits of accounting documents may, depending on the law of each Member State, be natural or legal persons or other types of company, firm or partnership.

The Directive applies to persons responsible for carrying out:

statutory audits of the annual accounts of companies and firms and verifying that the annual reports are consistent with those annual accounts in so far as such audits and such verification are required by Community law;

statutory audits of the consolidated accounts of bodies of undertakings and verifying that the consolidated annual reports are consistent with those consolidated accounts in so far as such audits and such verification are required by Community law.

Persons responsible for carrying out audits of accounting documents must be of good repute and may not engage in any activity incompatible with the auditing of such documents.

A natural person may be approved to carry out statutory audits of accounting documents only after:

having attained university entrance level;

completed a course of theoretical instruction;

undergone practical training; and

passed an examination of professional competence of university, final examination level organized or recognized by the State.

Member States may nevertheless approve persons who do not satisfy some of the above conditions if those persons can show either:

that they have, for 15 years, engaged in professional activities which have enabled them to acquire sufficient experience in the fields of finance, law and accountancy and have passed the examination of professional competence;

that they have, for seven years, engaged in professional activities in those fields and have, in addition, undergone practical training and passed the examination of professional competence.

Member States must ensure that approved persons are liable to appropriate sanctions if they do not carry out audits honestly and independently.

Member States must ensure that the names and addresses of all natural persons and firms of auditors approved by them to carry out statutory audits of accounting documents are made available to the public. [19] 


„On 9 July 2009 the IASB published an International Financial Reporting Standard (IFRS) designed for use by small and medium-sized entities (SMEs). SMEs are estimated to represent more than 95 per cent of all companies. The standard is a result of a five-year development process with extensive consultation of SMEs worldwide." [20] 

The interesting fact is that the SME-IFRS were published after the German BilMoG came into effect. The SME project had been ongoing since 1998, so most of the discussions made were already incorporated into the BilMoG so that it truly could be an alternative to the Full-IFRS that public limited companies are required to use in Germany.

German SME companies will eventually have to decide which accounting standards to use, be it HGB or IFRS. The SME-IFRS could be an alternative that could open access to international financial markets without the disclosure demands and higher costs of the Full IFRS reporting

Currently financial statements prepared with SME-IFRS are not a legal alternative as the SME-IFRS do not fall under the IAS conversion legislation of the EU which makes (new) IFRS become EU law. [21] Similarly, the are not covered by the "Memorandum of Understanding" for converging IFRS and US-GAAP, as in the US there are not separate accounting rules for SME.

Therefore, in the context of this paper, they do not represent a viable alternative set of accounting standards, although the concept for a "slimmer" IFRS set of rules is something important to push in coming years.

German Legislation


The Gesetz zur Kontrolle und Transparenz im Unternehmensbereich (KonTraG) came into effect on May 1, 1998, well before the prominent corporate accounting frauds and scandals at e.g. Enron in the USA. Germany had its own fair share of scandals, namely at Metallgesellschaft. [22] 

The KonTraG is an omnibus bill, i.e. affecting many existing laws as e.g. the Aktiengesetz (AktG) and HGB. The main goal is to improve corporate governance in German companies for instance through enlarging the responsibilities of the executive board, the supervisory board and the external auditor. The core of the law is that the company leaders must implement (and maintain) a risk management system and to comment on risks affecting the company in the notes of the financial statements.

The law adds a new paragraph §91 to the Aktiengesetz which obligates the board to ensure proper methods, in particular an internal control system, so that risks to the continuation of the company can be identified early. The external auditor is obligated to assess the existence and usage of a risk management system and corresponding measures in internal audit.

Additionally, the supervisory board now hires the external auditor and also is the primary recipient of the audit report. The external auditor is also obligated to attend the accounts review meeting.

Although these provisions were added to the Aktiengesetz they do not only apply to public companies as could be thought. The rules also apply to the KGaA (Kommanditgesellschaft auf Aktien) and many GmbH's (Gesellschaft mit beschränkter Haftung), especially if a supervisory board exists. [23] 


The Bilanzrechtsmodernisierungsgesetz (BilMoG) was implemented on May 23, 2009 with the intent to transform the guidelines given in the Eighth EU-Directive. The main focus is to deregulate smaller and mid-size companies and thereby also reduce accounting costs.

The thresholds for determining small, midsize and large organizations were raised by 20%; the organization size determines the companies responsibility to provide corporate information to the public. Also, the scope of (external) auditing is influenced by this classification so that smaller companies are free of audit to converge German audit standards with international audit(ing) standards.

International investors have for long critized the German accounting standards given by the Handelsgesetzbuch (HGB) as being to creditor friendly vs. investor interests. The main differences are Fair Value judgments and the treatment of immaterial assets such as patents and licences.

Therefore, another goal of the BilMoG is to "enhance" the information that a former HGB financial statement would have given. The justification of the law explicitly mentions the intent of convergence to IFRS, however, without complicating accounting more than necessary. [24] 

The main changes introduced are:

Choice of capitalizing immaterial (fixed) assets, e.g. patents, as long as the costs pertain to the development phase (not research).

Change in assessing / determining reserves, especially pension reserves

Restriction of setting up provisions for expenses

Purchased goodwill has to be capitalized and amortized

Valuation in accordance to full costs

Changed rules for currency translations

Changes for accruals of deferred tax liabilities

Inclusion of special purpose companies in the financial statements

Mandatory use of the fair value concept (revaluation). [25] 

In addition, material changes are required for the Notes of the financial statements.

In the context of this paper the main requirement of the BilMoG ist hat at least on supervisory board member needs to have competent knowledge of accounting and auditing. To comply with the 8th EU-Directive on auditor independence, §319a of the HGB was enhanced, e.g. a maximum of 15% of the annual revenues / auditor fees may be generated with one client. [26] 

U.S. Legislation

Although not a primary concern of this paper, US legislation is important because it was enacted for the same governance reasons and has implications for many German multinational companies with US operations or even German SME subsidiaries of US corporations.


The Sarbanes-Oxley Act of 2002 was enacted as a reaction to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets.

The legislation set new or enhanced standards for all U.S. public company boards, management and public accounting firms. It does not apply to privately held companies. The act contains 11 titles, or sections, ranging from additional corporate board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Harvey Pitt, the 26th chairman of the Securities and Exchange Commission (SEC), led the SEC in the adoption of dozens of rules to implement the Sarbanes-Oxley Act. It created a new, quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting firms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure.

The act was approved by the House by a vote of 423-3 and by the Senate 99-0. President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." [27] 

Debate continues over the perceived benefits and costs of SOX. Supporters contend the legislation was necessary and has played a useful role in restoring public confidence in the nation's capital markets by, among other things, strengthening corporate accounting controls. Opponents of the bill claim it has reduced America's international competitive edge against foreign financial service providers, saying SOX has introduced an overly complex regulatory environment into U.S. financial markets.

External Auditing (IdW / AICPA)

e.g. Consulting vs. Independence

Internal Auditing (IIR / IIA)

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. [28] 

Effects on Internal / External Audit Work


Conflicts of Interest


Expansion of Audit Committee involvement

The Sarbanes-Oxley Act had a strong influence on audit committees. In a U.S. publicly-traded company, an audit committee is an operating committee of the Board of Directors charged with oversight of financial reporting and disclosure. Committee members are drawn from members of the company's board of directors, with a Chairperson selected from among the committee members. A qualifying audit committee is required for a U.S. publicly-traded company to be listed on a stock exchange. To qualify, the committee must be composed of independent outside directors with at least one qualifying as a financial expert. Audit committees are typically empowered to acquire the consulting resources and expertise deemed necessary to perform their responsibilities. The role of audit committees continues to evolve as a result of the passage of the Sarbanes-Oxley Act of 2002. Many audit committees also have oversight of regulatory compliance and risk management activities. [29] 

Responsibilities of the audit committee typically include:

Overseeing the financial reporting and disclosure process.

Monitoring choice of accounting policies and principles.

Overseeing hiring, performance and independence of the external auditors.

Oversight of regulatory compliance, ethics, and whistleblower hotlines.

Monitoring the internal control process.

Overseeing the performance of the internal audit function.

Discussing risk management policies and practices with management.

Audit committees typically review financial reports quarterly and annually in publicly-traded companies. In addition, members will often discuss complex accounting estimates and judgments made by management and the implementation of new accounting principles or regulations. Audit committees interact regularly with senior financial management such as the CFO and Controller and are in a position to comment on the capabilities of these managers. Should significant problems with accounting practices or personnel be identified or alleged, a special investigation may be directed by the audit committee, using outside consulting resources as deemed necessary.

External auditors are also required to report to the committee on a variety of matters, such as their views on management's selection of accounting principles, accounting adjustments arising from their audits, any disagreement or difficulties encountered in working with management, and any identified fraud or illegal acts. [30] 

Future Outlook

Risk Management

Corporate Governance


Stakeholder Expectations (government, company shareholders, general public)

Segregation vs. Integration

Separation of Consulting and Auditing

Goldman Sachs (separating fees and consulting - conflict of interest)